[Openswan Users] [PATCH] fix SA leaks in openswan 2.6.22 when using klips

willer.wang at cybertan.com.tw willer.wang at cybertan.com.tw
Tue Aug 4 07:15:24 EDT 2009

	I have tested this patch, it works.
	The expired SA will be removed and HW OCF resource can be freed correctly.
	But I found another problem when using this patch,
	I established 5 tunnels, and all ipsec_lifetime=60(s).
	After 21 hours, all tunnels disconnected.
	And console keeps showing  
	"ipsec_SAref_alloc: unexpected error, 
	refFreeListHead = 102 point to invalid entry"

	It seems that if total SA ref number > 2^15.
	The sadb became crashed.
	Can someone give me advice or direction about this problem ?


-----Original Message-----
From: David McCullough [mailto:David_Mccullough at securecomputing.com] 
Sent: Monday, August 03, 2009 9:52 AM
To: users at openswan.org; dev at openswan.org
Cc: Willer Wang 王明偉 (52216); Martin Schiller
Subject: [PATCH] fix SA leaks in openswan 2.6.22 when using klips

Hi all,

Here's the followup to some of the SA problems people have been seeing.
Two patches,  the refcount patch is the minimum required, the tracking patch
includes the debug code I used to clean up the refcount usage.

I have been rekeying tunnels every minute for most of the weekend with this
applied.  Let me know if you have any problems.  Just note that this patch
doesn't include Martins patch from last week.


David McCullough,  david_mccullough at securecomputing.com,  Ph:+61 734352815
McAfee - SnapGear  http://www.snapgear.com                http://www.uCdot.org


This e-mail transmission originated at CyberTAN Technology, Inc., and may contain privileged or
confidential information that is the property of CyberTAN and protected by law from disclosure.
If you are not an intended recipient of this transmission and you received it in error,
please inform the sender by reply e-mail and destroy this and all other copies of this transmission
to which you have access. Thank you.

More information about the Users mailing list